US20190260755A1 - System for controlling access to a plurality of target systems and applications - Google Patents
System for controlling access to a plurality of target systems and applications Download PDFInfo
- Publication number
- US20190260755A1 US20190260755A1 US16/016,154 US201816016154A US2019260755A1 US 20190260755 A1 US20190260755 A1 US 20190260755A1 US 201816016154 A US201816016154 A US 201816016154A US 2019260755 A1 US2019260755 A1 US 2019260755A1
- Authority
- US
- United States
- Prior art keywords
- entitlement
- target
- rules
- profile data
- individual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 claims abstract description 36
- 238000004891 communication Methods 0.000 claims description 14
- 238000005065 mining Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 5
- 238000012517 data analytics Methods 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 13
- 238000012549 training Methods 0.000 description 13
- 239000008186 active pharmaceutical agent Substances 0.000 description 11
- 238000013459 approach Methods 0.000 description 7
- 238000003066 decision tree Methods 0.000 description 5
- 238000013068 supply chain management Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000013138 pruning Methods 0.000 description 3
- 238000012552 review Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000013439 planning Methods 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 239000000344 soap Substances 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 241000447437 Gerreidae Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000005204 segregation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- This application generally relates to computer management within an enterprise.
- this application describes a system and method for controlling access to a plurality of target systems and applications within an organization.
- ERP enterprise resources planning
- CRM customer relationship management
- SCM supply chain management
- the employee may have to navigate a myriad of bureaucratic hurdles, request methods, forms and system list, access entitlements, profiles and roles relevant for a system to obtain access. For example, the requestor may first need to know what to request (e.g., system, entitlements, role or profile), what he may need, and then may have to request approval from various individuals in his chain of command. Upon receiving approval, the requestor may have to provide evidence to each administrator, delegate of the system owner, etc. that he has received the necessary approvals. Thus, obtaining access can be time consuming and may tie up critical processing and network bandwidth.
- An access management (i.e., creation, modification and deletion) request is often a composite action of bundled tasks that requires a series of tasks that need to be performed in a particular sequence to achieve requested outcomes.
- bundling of tasks is also performed to make it easy for requestor and approvers of such requests to specify what they need and what needs to be approved. Unbundling of such request and determination of what tasks need to be performed is left to the human administrators and their knowledge of underlying system landscape or intermediary systems like an access management system.
- Such technical complexity is mainly attributable to:
- requestors and approvers may request more access for an individual that what is actually required or may request access for the individual based on a different persons access privileges, which may not be relevant to the individual.
- carte blanche access to the various systems may be requested with limited or no controls within the company.
- a system for controlling access to one or more of a plurality of target systems and/or applications includes an input/output (IO) subsystem, a storage device, a processor, and non-transitory computer readable media in communication with the processor.
- the IO subsystem is configured to receive profile data that defines one or more features associated with a target individual from a human resources (HR) or contractor management or a user management system, and to communicate instructions to facilitate access to the one or more target systems/applications for the target individual.
- the storage device includes one or more sets of rules where each set of rules is associated with an entitlement of the profile data. Each entitlement is indicative of target system/application access.
- Each rule within a set relates a combination of one or more features of the profile data with a confidence value.
- the processor is in communication with the IO subsystem, the storage device, and the non-transitory computer readable media.
- the non-transitory computer readable media stores instruction code which, when executed by the processor, causes the processor to control the IO subsystem to receive the profile data associated with a target individual.
- the processor generates, based on the profile data and the rules, a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements. Each confidence value is indicative of whether the target individual should be granted a corresponding entitlement.
- the processor controls the IO subsystem to communicate an instruction either to an intermediary system (user provisioning system or a ticketing queue for manual provisioning) or directly to the target system/application associated with the entitlement to allow access to the target individual.
- an intermediary system user provisioning system or a ticketing queue for manual provisioning
- a method for controlling access to one or more of a plurality of target systems/applications includes receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals. Each entitlement is indicative of target system/application access. The method further includes generating one or more sets of rules where each set of rules is associated with an entitlement of the profile data. Each entitlement is indicative of target system/application access. Each rule within a set relates a combination of one or more features of the profile data with a confidence value. Profile data that defines one or more features associated with a target individual is received from a human resources (HR) or a contractor management or a user management system.
- HR human resources
- a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements is generated based on the profile data and the rules. Each confidence value is indicative of whether the target individual should be granted a corresponding entitlement. For each entitlement having a corresponding confidence value higher than a predetermined threshold, an instruction is communicated to a target system/application associated with the entitlement to allow the target individual access to the target system.
- non-transitory computer readable media that stores instruction code for controlling access to one or more of a plurality of target systems/applications.
- the instruction code is executable by a machine for causing the machine to perform acts that include receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals, each entitlement indicative of target system/application access.
- One or more sets of rules is generated. Each set of rules is associated with an entitlement of the profile data. Each entitlement is indicative of target system/application access.
- Each rule within a set relates a combination of one or more features of the profile data with a confidence value.
- Profile data that defines one or more features associated with a target individual from a human resources (HR) or contractor management or a user management system is received.
- the processor generates, based on the profile data and the rules, a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements. Each confidence value is indicative of whether the target individual should be granted a corresponding entitlement. For each entitlement having a corresponding confidence value higher than a predetermined threshold, the processor communicates an instruction either to an intermediary system (user provisioning system or a ticketing queue for manual provisioning) or directly to the target system/application associated with the entitlement to allow access to the target individual.
- an intermediary system user provisioning system or a ticketing queue for manual provisioning
- FIG. 1 illustrates an exemplary enterprise environment that includes a system that facilitates controlling access to a group of target systems and/or applications;
- FIG. 2 illustrates first exemplary operations that implement a probabilistic approach to control access to a group of target systems and/or applications
- FIG. 3 illustrates second exemplary operations that implement a rules based approach to control access to a group of target systems and/or applications
- FIGS. 4A-4H illustrate exemplary tables of information that facilitate generating exemplary rules that related feature combinations to entitlements
- FIG. 5 illustrates part of an exemplary predictive model that corresponds to a decision tree
- FIG. 6 illustrates operations for generating a predictive model according to a K-Nearest Neighbors algorithm
- FIG. 7 illustrates operations for automatic revocation of entitlements for one or more individuals based on usage criteria
- FIG. 8 illustrates an exemplary computer system that may form part of or implement the systems described in the figures or in the following paragraphs.
- entitlement and privilege refer to access to a specific target system and/or application operating on the target system by an individual. Individuals having an entitlement to a target system and/or application are granted access to the target system and/or application.
- the system generates a set of rules for different entitlements that map feature combinations associated with the different entitlements to confidence values.
- Features correspond to different attributes associated with individuals of the enterprise such as a start date, title, supervisor name, group ID, etc.
- the system applies the rules against the target individual to determine possible entitlements to grant to the target individual.
- the system may automatically communicate instructions to target systems and/or applications associated with the entitlements to grant access.
- the system may generate entitlement recommendations for review by appropriate personnel, which may then be approved or rejected.
- the system may also periodically request usage information from the target systems/applications to determine whether individuals with entitlements to these target systems actually require access to these target systems. Entitlements for individuals deemed to not require access may be revoked. In a larger enterprise, this may greatly reduce the number of individuals having entitlements to target systems of the enterprise. This in turn facilitates a reduction in the number of processors, network resources, storage, etc., required by the target systems.
- This system will keep learning from the feeds on a recurring or on real time basis.
- the system uses this data to update the model in unassisted way or in some instances with the assistance of minimal human interaction and automatically adjust its prediction and confidence for entitlements accordingly.
- FIG. 1 illustrates an exemplary enterprise environment 100 that includes various systems/devices that facilitate controlling access to a plurality of target systems.
- Exemplary systems/devices of the environment 100 include an access control system (ACS) 102 , a human resources (HR) system 104 , and a group of target systems 106 .
- the ACS 102 , HR system 104 , and target systems 106 may communicate with one another via a network 107 , such as the Internet.
- the HR system 104 and target systems 106 may correspond to computer systems such as an Intel®, AMD®, or PowerPC® based computer system or a different computer system and can include application specific computer systems.
- the computer systems may include an operating system, such as Microsoft Windows®, Linux, Unix® or other operating system.
- the HR system 104 may be operated by a user/individual who is associated with the enterprise 100 such as a human resources administrator associated with the enterprise 100 .
- the HR system 104 may facilitate specifying information associated with a target individual such as profile data.
- profile data may include biographic information (e.g., name, address) along with enterprise specific information such as an employment start date, title, grade level, manager name, group, years of experience, etc.
- the HR system/s 104 may store information associated with the target individual to a database repository that includes profile information associated with any number of employees of the enterprise 100 .
- the HR system/s 104 may be configured to facilitate communicating profile information stored in the database repository to the ACS 102 via one or more APIs of the ACS 102 .
- the HR system/s 104 may be configured to communicate with the ACS 102 via an API such as a webserver API, a SOAP-based web service, a RESTful API, and/or a different type of API.
- the target systems 106 correspond to various computers located throughout the enterprise configured to perform specific tasks.
- a first target system 106 may correspond to an enterprise resource planning (ERP) system
- a second target system 106 may correspond to a customer relationship management (CRM) system
- a third target system 106 may correspond to a supply chain management (SCM) system.
- ERP enterprise resource planning
- ERP customer relationship management
- SCM supply chain management
- Each target system 106 may implement a form of access control to prevent unauthorized access.
- each target system 106 may host various applications and each application may have its own form of access control to prevent unauthorized access.
- access to a system and/or an application operating on the system is referred to as an entitlement or privilege.
- Each target system 106 is further configured to communicate and receive entitlement related information via one or more APIs of the ACS 102 .
- each target system 106 may be configured to communicate with the ACS 102 via an API such as a webserver API, a SOAP-based web service, a RESTful API, and/or a different type of API.
- the entitlement related information may correspond to an instruction, from the ACS 102 , to grant access to the target system 106 and/or specific applications operating on the target system 106 .
- the entitlement related information may correspond to information communicated from the target system 106 to the ACS 102 that provides a listing of individuals with entitlements to the target system 106 and/or applications operating on the target system 106 .
- the information communicated from the target system 106 may provide usage information indicative of how often individuals use the target system 106 and/or applications operating on the target system 106 .
- the usage information may indicate the last time an individual used the target system 106 , a frequency of usage (e.g., number of times a month), etc. This information facilitates determining whether individual actually have a need to access the target system 106 .
- the ACS 102 may include a processor 125 , input/output subsystem 110 , model storage 120 , and instruction code storage 127 .
- the ACS 102 may include other subsystems. As described in more detail below, the ACS 102 may generate a model 120 that relates profile data received from the HR system 104 and entitlement information received from the target system 106 . The ACS 102 uses the model 120 to predict entitlements for target individuals such as new employees.
- the I/O subsystem 110 of the ACS 102 is configured to facilitate communications with entities outside of the ACS 102 .
- the I/O processor 110 may be configured to dynamically determine the communication methodology utilized by entities of the environment 100 for communicating information to the entities using the determined communication methodology. For example, the I/O subsystem 110 may determine that a first entity utilizes a RESTful API and may, therefore, communicate with the entity using a RESTful communication methodology.
- the I/O subsystem 110 may implement a web browser to facilitate generating one or more web-based interfaces through which users of the enterprise may interact with the ACS 102 .
- the web browser may implement a web services interface to facilitate automating some of the web-based functionality via a computer.
- one or more of the entities of the environment 100 may utilize the web services interfaces to access information stored by the ACS 102 .
- the processor 125 executes instruction code stored in a memory device 127 for coordinating activities performed between the various subsystems of the ACS 102 .
- the processor 125 any of the subsystems of the ACS 102 referenced herein may correspond to a stand-alone computer system such as an Intel®, AMD®, or PowerPC® based computer system or a different computer system and can include application specific computer systems.
- the computer systems may include an operating system, such as Microsoft Windows®, Linux, Unix® or other operating system. It is contemplated that operations performed on the various subsystems may be combined into a fewer or greater number of subsystems to facilitate speed scaling, cost reductions, etc.
- Exemplary operations performed by the processor 125 of the ACS 102 in controlling access to a plurality of target systems 106 are illustrated below.
- the operations may be implemented via instruction code stored in non-transitory computer readable media 127 that resides within the subsystems configured to cause the respective subsystems to perform the operations illustrated in the figures and discussed herein.
- FIG. 2 illustrates first exemplary operations that implement a probabilistic approach to control access to a plurality of target systems 106 .
- the IO subsystem 110 may receive profile data from the HR system 104 and entitlement information from the target systems 106 associated with all or a large number of individuals/employees of the enterprise.
- the processor may generate a model 120 that represents the proportion of people in the entire dataset having particular profile features for a particular entitlement, as illustrated in Table 1.
- each row corresponds to a specific entitlement (i.e., E1, E2, E3, etc.) such as access to a particular target system 106 or application operating on the target system 106 .
- Each column is associated with a feature (i.e., F1, F2, F3, etc.).
- F1, F2, F3, etc. A list of exemplary features is provided in Table 2.
- the value in each cell corresponds to the ratio of employees who have a given entitlement and feature.
- F1) corresponds to the ratio, E1/F1, of employees having entitlement E1 and feature F1.
- a subset of ratios relevant to a target individual is determined. For example, a subset of ratios associated with a target individual having features F1 and F3 is illustrated in Table 3.
- the entitlements are sorted based on their corresponding maximum ratio, W.
- the first N e.g., 5
- the entitlements of the sorted entitlements are determined to be relevant to the target individual.
- the ACS 102 may instruct target systems 106 and/or applications operating on the target systems 106 associated with the first N entitlements to grant access to the target individual.
- a report of the entitlements and the corresponding ratio, W, in the form of recommendations for review by an operator may be generated.
- a web page may be communicated to an operator to facilitate review of the recommendations.
- the webpage may have fields that allow the operator to approve or reject the recommendations.
- the operator may submit the web page form with decisions to the ACS 102 .
- the ACS 102 may in turn instruct target systems 106 and/or applications operating on the target systems 106 associated with approved entitlements to grant access to the target individual.
- the model 120 may be updated to reflect the entitlements attributed to the target individual.
- FIG. 3 illustrates second exemplary operations for generating rules that facilitate selection of entitlements to give an individual that allow the individual access to a plurality of target systems 106 .
- the second exemplary operations may be performed standalone or as a layer on top of the probabilistic approach of FIG. 2 as a means of hardening the probabilistic model 120 .
- the second exemplary operations instead of determining proportions of one feature per entitlement, various combination of features associated with each single entitlement are identified.
- FIGS. 4A and 4H The operations of FIG. 3 are better understood by referencing FIGS. 4A and 4H .
- profile data associated with a given entitlement is selected.
- the number of employees represented in the profile data could be in the thousands, hundreds of thousands, etc., and any number of entitlements may have been granted to the employees.
- ENT_A a company with only ten employees and a single entitlement in operation, as illustrated in the exemplary table of employee profile data 400 of FIG. 4A .
- employees 2 - 10 have entitlement ENT_A whereas employee 1 does not. Also, according to the table 400 , there are three HR profile descriptors (i.e., features), namely Department, Location, and Level.
- the dataset may be pruned to include just those employees that have the entitlement that is being modeled (e.g. ENT_A), as illustrated in the table 410 of FIG. 4B . Pruning may be repeated for every entitlement to be modeled, or depending on the specific algorithm adopted may facilitate an approach where pruning is not necessary and yield the same results.
- Each entitlement may be trained independently. Independent training based on a single entitlement at a time is beneficial in case any technical issues arise during training because the entitlements that have been modelled up to the point where the technical issues occurs can be safely stored and the training may continue where it left off. Entitlements may also be trained in batches or groups, and may be trained simultaneously. Thus, this aspect of training may be considered as the discovery of the rules of an entitlement.
- so called frequent-item-mining may be performed on features of selected profile data. That is, the frequency of all HR features in the dataset above a threshold (known as the support) may be calculated and a prioritized list may be created according to the frequency of occurrence, as illustrated in the table 420 of FIG. 4C . Each transaction, or employee profile, may then be rearranged by this prioritized list, as illustrated in the table 430 of FIG. 4D .
- a threshold known as the support
- an FP-growth algorithm may be utilized to perform the frequent item mining.
- the FP-growth algorithm may be implemented on a data analytics execution engine of the ACS 102 , such as Apache Spark® and the algorithm may generate the tree diagram 440 illustrated in FIG. 4E by iterating through each employee transaction. This tree may be considered as a model that contains all the rules listed in the table 440 of FIG. 4F of the entitlement which can be extracted. This approach may negate the need for profile pruning, and run on the entire employee dataset simultaneously (i.e., those that have and do not have the entitlement in question).
- confidence values for different feature combinations/rules may be determined.
- the employee list may be limited to just those employees having the entitlement being modeled.
- the rules listed in table 450 of FIG. 4F were specific to the modeled entitlement and did not consider the profiles of the employees that did not have the entitlement.
- the confidence scores would be exactly 100%. That is, each rule that was discovered would always result in having the modeled entitlement. However, this is not reflective of the true confidence value. That is, the ratio of occurrence of the rule with the entitlement to the occurrence of the rule in the entire employee landscape.
- a true confidence level is calculated by determining how often a given rule occurs in the entire employee landscape, as illustrated in the table 460 of FIG. 4G .
- this step is not necessary as the method is capable of building the entire tree with accurate confidence scores in one step.
- Every employee that is in Finance and at level 8 has the entitlement ENT_A, and every financial employee that is based in Berlin has the entitlement ENT_A.
- the confidence level can be calculated as follows:
- redundant features combinations/rules may be removed from the rule set.
- a higher level (Parent) rule For example, according to table 450 of FIG. 4F , if an employee is in Finance and at Level 8, they are 100% likely to have ENT_A. Therefore the extra location information (e.g. [Finance, Level8, Dublin] and [Finance, Level8, Berlin] and [Finance, Level8, London]) is irrelevant, as long as the employee belongs to Finance and is at level8.
- three rules may be removed, as illustrated by the stricken through rows of the table 470 in FIG. 4H .
- the operations above may be performed on all or a subset of entitlements identified in the profile data. For each entitlement, a rules table such as the table 470 in FIG. 4H may be saved.
- Subsequent operations that may be performed are similar to those described above in operations 220 - 230 .
- the entitlements may be sorted based on the corresponding maximum confidence values.
- the first N entitlements of the sorted entitlements may be determined to be relevant to the target individual.
- these entitlements may be assigned to the target individual automatically or may be presented, along with the corresponding confidence values, to a reviewer at operation 325 as recommendations to be approved or rejected at operation.
- Feedback may be received at operation 330 , and the model 120 may be updated at operation 335 .
- the training dataset may be repetitively processed to identify rule associated with a relatively small but representative sample of entitlements over a range of features. Each runs through the dataset would be enough to facilitate determination of relationships that would facilitate prediction of how many rules would be expected to be generated for each entitlement and each choice of feature parameter.
- the rules generated above may be validated, for example, by testing whether the confidence values for the rules confirm with underlying data.
- FIGS. 5 and 6 illustrate different types of predictive models 120 that may be generated to facilitate controlling access to a plurality of target systems 106 .
- FIG. 5 illustrates part of an exemplary predictive model 500 that corresponds to a decision tree, where each node corresponds to a feature.
- the decision tree model 500 may have been trained based on employee profile data received from the HR system 104 .
- Main features of the exemplary predictive model 500 used for training the model 500 in this case included CapabilityDescr, CountryNm, CompanyDescr.
- Other features used for training that are not illustrated in the graph may include CostCenterDescr, FacilityDescr, MetroCityDescr, ProfitCenterDescr, TalentSegmentDescr, time_since_joined, and many other features.
- the decision tree model 500 may learn the rules necessary to facilitate predicting an outcome that corresponds to a privilege/entitlement. These rules are made by splitting a node at each feature and selecting one out of two possible paths. For example, if “CapabilityDescr” is “software engineering”, “CountryNm” is “UK” and “CompanyDescr” is “Accenture”, then the entitlement output of the decision tree model 500 would be E1.
- FIG. 6 illustrates exemplary operations for generating a predictive model according to a K-Nearest Neighbors algorithm.
- the target individual may be plotted in a space that represents all employees of the enterprise.
- the nearest neighbors of the target individual based on features are determined.
- K may be set to 3, 5, or 7 in a K-nearest neighbor algorithm to select employees of the enterprise having features similar to those of the target individual.
- a cluster privilege profile that represents entitlements of the nearest neighbors of the target individual is generated, as illustrated in Table 4.
- each column represents a possible entitlement that a corresponding neighbor employee may have.
- a value of 1 in the cell indicates that the employee has the corresponding entitlement and a value of 0 indicates that the employee does not have the corresponding entitlement.
- the weight for each entitlement corresponds to the sum of the cell values in the column and the confidence for each entitlement corresponds to the ratio of the weight/number of neighbors.
- the entitlement having the highest confidence corresponds to E1.
- the next highest are E2 and E3 and so on.
- the entitlements having a confidence higher than a predetermine threshold are determined to be relevant to the target individual.
- the ACS 102 may instruct target systems 106 and/or applications operating on the target systems 106 associated with these entitlements to grant access to the target individual.
- a list of recommendations may be communicated to a reviewer (operation 625 ) who may accept or reject the recommendations made by the ACS 102 (operation 630 ).
- the model 120 may be updated based on the feedback provided by the reviewer (operation 635 ).
- an ensemble method may be utilized generate an ensemble model.
- the central goal of an ensemble method is to aggregate predictions made by multiple classification models.
- training data that corresponds to feature data associated with all the employees of the enterprise is broken into subsets of training data. Different models are trained for each subset of training data.
- test data may be used to calculate the average performance of the model per entitlement.
- the entitlement data may be represented in binary vector form and the performance of the model may be measured either by the average precision, recall, and/or F1 score.
- the ACS 102 may also facilitate automatic revocation of entitlements for one or more individuals based on usage criteria. For example, referring to FIG. 7 , at operation 700 , a first target system 106 may report usage information to the ACS 102 .
- the usage information may indicate the frequency with which individuals utilized the target system 106 , the last time the individuals used the target system 106 , and/or a different usage metric.
- the ACS 102 may compare the usage information to a usage threshold to determine whether revocation of an entitlement is warranted.
- the ACS 102 communicate instructions to the target system 106 to revoke the entitlement.
- the ACS 102 may update information in the model to reflect that the individual whose entitlement has been revoked, no longer has the entitlement.
- the operations described in FIG. 7 may occur at regular intervals such as every day, week, month, etc. or in real time.
- the operations facilitate reducing the number of unnecessary entitlements, which has the added benefit of improving security of the target systems 106 by reducing the number of individuals with access to the target system 106 .
- the changes to the model may result in changes to the predictions made above when assigning entitlements to target individuals. In this way, over time, entitlements may be provided to those with a real need to access the target systems 106 rather than all or an unnecessarily large number of individuals across the enterprise.
- FIG. 8 illustrates a computer system 800 that may form part of or implement the systems, environments, devices, etc., described above.
- the computer system 800 may include a set of instructions 845 that the processor 805 may execute to cause the computer system 800 to perform any of the operations described above.
- the computer system 800 may operate as a stand-alone device or may be connected, e.g., using a network, to other computer systems or peripheral devices.
- the computer system 800 may operate in the capacity of a server or as a client computer in a server-client network environment, or as a peer computer system in a peer-to-peer (or distributed) environment.
- the computer system 800 may also be implemented as or incorporated into various devices, such as a personal computer or a mobile device, capable of executing instructions 845 (sequential or otherwise) causing a device to perform one or more actions.
- each of the systems described may include a collection of subsystems that individually or jointly execute a set, or multiple sets, of instructions to perform one or more computer operations.
- the computer system 800 may include one or more memory devices 810 communicatively coupled to a bus 820 for communicating information.
- code operable to cause the computer system to perform operations described above may be stored in the memory 810 .
- the memory 810 may be a random-access memory, read-only memory, programmable memory, hard disk drive or any other type of memory or storage device.
- the computer system 800 may include a display 830 , such as a liquid crystal display (LCD), a cathode ray tube (CRT), or any other display suitable for conveying information.
- the display 830 may act as an interface for the user to see processing results produced by processor 805 .
- the computer system 800 may include an input device 825 , such as a keyboard or mouse or touchscreen, configured to allow a user to interact with components of system 800 .
- an input device 825 such as a keyboard or mouse or touchscreen, configured to allow a user to interact with components of system 800 .
- the computer system 800 may also include a disk or optical drive unit 815 .
- the drive unit 815 may include a computer-readable medium 840 in which the instructions 845 may be stored.
- the instructions 845 may reside completely, or at least partially, within the memory 810 and/or within the processor 805 during execution by the computer system 800 .
- the memory 810 and the processor 805 also may include computer-readable media as discussed above.
- the computer system 800 may include a communication interface 835 to support communications via a network 850 .
- the network 850 may include wired networks, wireless networks, or combinations thereof.
- the communication interface 835 may enable communications via any number of communication standards, such as 802.11, 802.12, 802.20, WiMAX, cellular telephone standards, or other communication standards.
- methods and systems described herein may be realized in hardware, software, or a combination of hardware and software.
- the methods and systems may be realized in a centralized fashion in at least one computer system or in a distributed fashion where different elements are spread across interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods described herein may be employed.
- Computer program refers to an expression, in a machine-executable language, code or notation, of a set of machine-executable instructions intended to cause a device to perform a particular function, either directly or after one or more of a) conversion of a first language, code, or notation to another language, code, or notation; and b) reproduction of a first language, code, or notation.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
Description
- This application is a continuation-in-part application under 35 U.S.C. § 120 to U.S. application Ser. No. 15/900,475, filed Feb. 20, 2018, which is incorporated herein by reference in its entirety.
- This application generally relates to computer management within an enterprise. In particular, this application describes a system and method for controlling access to a plurality of target systems and applications within an organization.
- Companies typically utilize systems such as enterprise resources planning (ERP) systems, customer relationship management (CRM) systems, supply chain management (SCM) systems, etc., to integrate management functions of core business processes of the company such as marketing processes, sales processes, logistics processes, etc. Access to each of these systems is typically controlled by system owners (IT or Business) and managed by administrators of the respective systems. Administrators in this case act as a delegate of the system owner.
- When an employee or a contractor (requestor) requires access to one of these systems, the employee may have to navigate a myriad of bureaucratic hurdles, request methods, forms and system list, access entitlements, profiles and roles relevant for a system to obtain access. For example, the requestor may first need to know what to request (e.g., system, entitlements, role or profile), what he may need, and then may have to request approval from various individuals in his chain of command. Upon receiving approval, the requestor may have to provide evidence to each administrator, delegate of the system owner, etc. that he has received the necessary approvals. Thus, obtaining access can be time consuming and may tie up critical processing and network bandwidth.
- An access management (i.e., creation, modification and deletion) request is often a composite action of bundled tasks that requires a series of tasks that need to be performed in a particular sequence to achieve requested outcomes. Such bundling of tasks is also performed to make it easy for requestor and approvers of such requests to specify what they need and what needs to be approved. Unbundling of such request and determination of what tasks need to be performed is left to the human administrators and their knowledge of underlying system landscape or intermediary systems like an access management system. Such technical complexity is mainly attributable to:
-
- Defense in depth or layered security; i.e., critical systems are protected by an array of control devices and methods like firewalls, VLANs, VPNs, Secure desktop access;
- Principle of least privilege; i.e., access to a system must only be provided if needed to perform a task;
- Segregation of responsibilities to limit access to highly privileged and administrative tasks;
- Ease of access administration; e.g., grouping of individuals that require similar privileges on a system or an external security mechanism like LDAP;
- Network design (security zones) and physical implementation considerations;
- Centralization of access administration through user management systems; and
- Use of external authentication systems.
- Despite attempts to group and simplify requests, the above mentioned factors often result in to complicated data and forms that a requestor and approver needs to understand and complete. As such, requestors and approvers may request more access for an individual that what is actually required or may request access for the individual based on a different persons access privileges, which may not be relevant to the individual. In some cases, carte blanche access to the various systems may be requested with limited or no controls within the company.
- However, in larger organizations, granting access this way may increase security concerns associated with these systems. Moreover, additional processing power, network resources, storage, etc., will be required to accommodate access by all the employees. This may result in inefficient use of company resources when such access is not actually required.
- In first aspect, a system for controlling access to one or more of a plurality of target systems and/or applications includes an input/output (IO) subsystem, a storage device, a processor, and non-transitory computer readable media in communication with the processor. The IO subsystem is configured to receive profile data that defines one or more features associated with a target individual from a human resources (HR) or contractor management or a user management system, and to communicate instructions to facilitate access to the one or more target systems/applications for the target individual. The storage device includes one or more sets of rules where each set of rules is associated with an entitlement of the profile data. Each entitlement is indicative of target system/application access. Each rule within a set relates a combination of one or more features of the profile data with a confidence value. The processor is in communication with the IO subsystem, the storage device, and the non-transitory computer readable media. The non-transitory computer readable media stores instruction code which, when executed by the processor, causes the processor to control the IO subsystem to receive the profile data associated with a target individual. The processor generates, based on the profile data and the rules, a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements. Each confidence value is indicative of whether the target individual should be granted a corresponding entitlement. For each entitlement having a corresponding confidence value higher than a predetermined threshold, the processor controls the IO subsystem to communicate an instruction either to an intermediary system (user provisioning system or a ticketing queue for manual provisioning) or directly to the target system/application associated with the entitlement to allow access to the target individual.
- In a second aspect, a method for controlling access to one or more of a plurality of target systems/applications includes receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals. Each entitlement is indicative of target system/application access. The method further includes generating one or more sets of rules where each set of rules is associated with an entitlement of the profile data. Each entitlement is indicative of target system/application access. Each rule within a set relates a combination of one or more features of the profile data with a confidence value. Profile data that defines one or more features associated with a target individual is received from a human resources (HR) or a contractor management or a user management system. A listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements is generated based on the profile data and the rules. Each confidence value is indicative of whether the target individual should be granted a corresponding entitlement. For each entitlement having a corresponding confidence value higher than a predetermined threshold, an instruction is communicated to a target system/application associated with the entitlement to allow the target individual access to the target system.
- In a third aspect, non-transitory computer readable media that stores instruction code for controlling access to one or more of a plurality of target systems/applications is provided. The instruction code is executable by a machine for causing the machine to perform acts that include receiving profile data that defines one or more features associated with a plurality of individuals with one or more entitlements of those individuals, each entitlement indicative of target system/application access. One or more sets of rules is generated. Each set of rules is associated with an entitlement of the profile data. Each entitlement is indicative of target system/application access. Each rule within a set relates a combination of one or more features of the profile data with a confidence value. Profile data that defines one or more features associated with a target individual from a human resources (HR) or contractor management or a user management system is received. The processor generates, based on the profile data and the rules, a listing that includes one or more entitlements associated with the target individual, and confidence values associated with the one or more entitlements. Each confidence value is indicative of whether the target individual should be granted a corresponding entitlement. For each entitlement having a corresponding confidence value higher than a predetermined threshold, the processor communicates an instruction either to an intermediary system (user provisioning system or a ticketing queue for manual provisioning) or directly to the target system/application associated with the entitlement to allow access to the target individual.
-
FIG. 1 illustrates an exemplary enterprise environment that includes a system that facilitates controlling access to a group of target systems and/or applications; -
FIG. 2 illustrates first exemplary operations that implement a probabilistic approach to control access to a group of target systems and/or applications; -
FIG. 3 illustrates second exemplary operations that implement a rules based approach to control access to a group of target systems and/or applications; -
FIGS. 4A-4H illustrate exemplary tables of information that facilitate generating exemplary rules that related feature combinations to entitlements; -
FIG. 5 illustrates part of an exemplary predictive model that corresponds to a decision tree; -
FIG. 6 illustrates operations for generating a predictive model according to a K-Nearest Neighbors algorithm; -
FIG. 7 illustrates operations for automatic revocation of entitlements for one or more individuals based on usage criteria; and -
FIG. 8 illustrates an exemplary computer system that may form part of or implement the systems described in the figures or in the following paragraphs. - The embodiments described below overcome the problems described in the background by providing a system that automatically determines entitlements needed by a target individual/employee. As used herein, the terms entitlement and privilege refer to access to a specific target system and/or application operating on the target system by an individual. Individuals having an entitlement to a target system and/or application are granted access to the target system and/or application.
- In general, the system generates a set of rules for different entitlements that map feature combinations associated with the different entitlements to confidence values. Features correspond to different attributes associated with individuals of the enterprise such as a start date, title, supervisor name, group ID, etc. When a target individual joins the enterprise, the system applies the rules against the target individual to determine possible entitlements to grant to the target individual. In some implementations, the system may automatically communicate instructions to target systems and/or applications associated with the entitlements to grant access. In addition or alternatively, the system may generate entitlement recommendations for review by appropriate personnel, which may then be approved or rejected.
- The system may also periodically request usage information from the target systems/applications to determine whether individuals with entitlements to these target systems actually require access to these target systems. Entitlements for individuals deemed to not require access may be revoked. In a larger enterprise, this may greatly reduce the number of individuals having entitlements to target systems of the enterprise. This in turn facilitates a reduction in the number of processors, network resources, storage, etc., required by the target systems.
- This system will keep learning from the feeds on a recurring or on real time basis. The system uses this data to update the model in unassisted way or in some instances with the assistance of minimal human interaction and automatically adjust its prediction and confidence for entitlements accordingly.
-
FIG. 1 illustrates anexemplary enterprise environment 100 that includes various systems/devices that facilitate controlling access to a plurality of target systems. Exemplary systems/devices of theenvironment 100 include an access control system (ACS) 102, a human resources (HR)system 104, and a group oftarget systems 106. TheACS 102,HR system 104, andtarget systems 106 may communicate with one another via anetwork 107, such as the Internet. - The
HR system 104 andtarget systems 106 may correspond to computer systems such as an Intel®, AMD®, or PowerPC® based computer system or a different computer system and can include application specific computer systems. The computer systems may include an operating system, such as Microsoft Windows®, Linux, Unix® or other operating system. - The
HR system 104 may be operated by a user/individual who is associated with theenterprise 100 such as a human resources administrator associated with theenterprise 100. TheHR system 104 may facilitate specifying information associated with a target individual such as profile data. Exemplary profile data may include biographic information (e.g., name, address) along with enterprise specific information such as an employment start date, title, grade level, manager name, group, years of experience, etc. - The HR system/s 104 may store information associated with the target individual to a database repository that includes profile information associated with any number of employees of the
enterprise 100. In this regard, the HR system/s 104 may be configured to facilitate communicating profile information stored in the database repository to theACS 102 via one or more APIs of theACS 102. For example, the HR system/s 104 may be configured to communicate with theACS 102 via an API such as a webserver API, a SOAP-based web service, a RESTful API, and/or a different type of API. - The
target systems 106 correspond to various computers located throughout the enterprise configured to perform specific tasks. For example, afirst target system 106 may correspond to an enterprise resource planning (ERP) system, asecond target system 106 may correspond to a customer relationship management (CRM) system, athird target system 106 may correspond to a supply chain management (SCM) system. Eachtarget system 106 may implement a form of access control to prevent unauthorized access. Moreover, eachtarget system 106 may host various applications and each application may have its own form of access control to prevent unauthorized access. As used herein, access to a system and/or an application operating on the system is referred to as an entitlement or privilege. - Each
target system 106 is further configured to communicate and receive entitlement related information via one or more APIs of theACS 102. For example, eachtarget system 106 may be configured to communicate with theACS 102 via an API such as a webserver API, a SOAP-based web service, a RESTful API, and/or a different type of API. The entitlement related information may correspond to an instruction, from theACS 102, to grant access to thetarget system 106 and/or specific applications operating on thetarget system 106. The entitlement related information may correspond to information communicated from thetarget system 106 to theACS 102 that provides a listing of individuals with entitlements to thetarget system 106 and/or applications operating on thetarget system 106. - In addition, the information communicated from the
target system 106 may provide usage information indicative of how often individuals use thetarget system 106 and/or applications operating on thetarget system 106. For example, the usage information may indicate the last time an individual used thetarget system 106, a frequency of usage (e.g., number of times a month), etc. This information facilitates determining whether individual actually have a need to access thetarget system 106. - The
ACS 102 may include aprocessor 125, input/output subsystem 110,model storage 120, andinstruction code storage 127. TheACS 102 may include other subsystems. As described in more detail below, theACS 102 may generate amodel 120 that relates profile data received from theHR system 104 and entitlement information received from thetarget system 106. TheACS 102 uses themodel 120 to predict entitlements for target individuals such as new employees. - The I/
O subsystem 110 of theACS 102 is configured to facilitate communications with entities outside of theACS 102. In this regard, the I/O processor 110 may be configured to dynamically determine the communication methodology utilized by entities of theenvironment 100 for communicating information to the entities using the determined communication methodology. For example, the I/O subsystem 110 may determine that a first entity utilizes a RESTful API and may, therefore, communicate with the entity using a RESTful communication methodology. - As described in more detail below, the I/
O subsystem 110 may implement a web browser to facilitate generating one or more web-based interfaces through which users of the enterprise may interact with theACS 102. The web browser may implement a web services interface to facilitate automating some of the web-based functionality via a computer. For example, one or more of the entities of theenvironment 100 may utilize the web services interfaces to access information stored by theACS 102. - The
processor 125 executes instruction code stored in amemory device 127 for coordinating activities performed between the various subsystems of theACS 102. Theprocessor 125 any of the subsystems of theACS 102 referenced herein may correspond to a stand-alone computer system such as an Intel®, AMD®, or PowerPC® based computer system or a different computer system and can include application specific computer systems. The computer systems may include an operating system, such as Microsoft Windows®, Linux, Unix® or other operating system. It is contemplated that operations performed on the various subsystems may be combined into a fewer or greater number of subsystems to facilitate speed scaling, cost reductions, etc. - Exemplary operations performed by the
processor 125 of theACS 102 in controlling access to a plurality oftarget systems 106 are illustrated below. In this regard, the operations may be implemented via instruction code stored in non-transitory computerreadable media 127 that resides within the subsystems configured to cause the respective subsystems to perform the operations illustrated in the figures and discussed herein. -
FIG. 2 illustrates first exemplary operations that implement a probabilistic approach to control access to a plurality oftarget systems 106. - At
operation 200, theIO subsystem 110 may receive profile data from theHR system 104 and entitlement information from thetarget systems 106 associated with all or a large number of individuals/employees of the enterprise. - At
operation 205, the processor may generate amodel 120 that represents the proportion of people in the entire dataset having particular profile features for a particular entitlement, as illustrated in Table 1. -
TABLE 1 Features Entitlements F1 F2 F3 . . . E1 P(E1|F1) P(E1|F2) P(E1|F3) . . . E2 P(E2|F1) P(E2|F2) P(E2|F3) . . . E3 P(E3|F1) P(E3|F2) P(E3|F3) . . . . . . . . . . . . . . . - Referring to Table 1, each row corresponds to a specific entitlement (i.e., E1, E2, E3, etc.) such as access to a
particular target system 106 or application operating on thetarget system 106. Each column is associated with a feature (i.e., F1, F2, F3, etc.). A list of exemplary features is provided in Table 2. -
TABLE 2 ProfitCenterDescription = CFM CapabilityDescription = CFM TalentSegmentDescription = Finance JobCDDescription = 11 CompanyDescription = acc sol pvt ltd CostCenterDescription = in-ms onshore-na FacilityDescription = Bengaluru EmployeeYearsOfService = 10 EmployeeStartDate = Jun. 1, 2007 - The value in each cell corresponds to the ratio of employees who have a given entitlement and feature. For example, P(E1|F1) corresponds to the ratio, E1/F1, of employees having entitlement E1 and feature F1.
- At
operation 210, a subset of ratios relevant to a target individual is determined. For example, a subset of ratios associated with a target individual having features F1 and F3 is illustrated in Table 3. -
TABLE 3 Features Entitlements F1 F3 E1 P(E1|F1) P(E1|F3) E2 P(E2|F1) P(E2|F3) E3 P(E3|F1) P(E3|F3) . . . . . . . . . - At
operation 215, for each entitlement in the subset, the maximum of the ratios in the row is found, which may be represented by the following formula: -
W(E)=MAX[P(E|Fi)] - where E corresponds to the entitlement and W(E) For example, where P(E1|F1) is 0.10 and P(E1|F3) is 0.5, the maximum ratio W corresponds to 0.5.
- At
operation 220, the entitlements are sorted based on their corresponding maximum ratio, W. Atoperation 225, the first N (e.g., 5) entitlements of the sorted entitlements are determined to be relevant to the target individual. - At
operation 230, theACS 102 may instructtarget systems 106 and/or applications operating on thetarget systems 106 associated with the first N entitlements to grant access to the target individual. - In alternative implementations, at
operation 235, a report of the entitlements and the corresponding ratio, W, in the form of recommendations for review by an operator may be generated. For example, a web page may be communicated to an operator to facilitate review of the recommendations. The webpage may have fields that allow the operator to approve or reject the recommendations. - At
operation 240, the operator may submit the web page form with decisions to theACS 102. TheACS 102 may in turn instructtarget systems 106 and/or applications operating on thetarget systems 106 associated with approved entitlements to grant access to the target individual. - At
operation 245, themodel 120 may be updated to reflect the entitlements attributed to the target individual. -
FIG. 3 illustrates second exemplary operations for generating rules that facilitate selection of entitlements to give an individual that allow the individual access to a plurality oftarget systems 106. The second exemplary operations may be performed standalone or as a layer on top of the probabilistic approach ofFIG. 2 as a means of hardening theprobabilistic model 120. In the second exemplary operations, instead of determining proportions of one feature per entitlement, various combination of features associated with each single entitlement are identified. The operations ofFIG. 3 are better understood by referencingFIGS. 4A and 4H . - Referring to
FIG. 3 , atoperation 300, profile data associated with a given entitlement is selected. The number of employees represented in the profile data could be in the thousands, hundreds of thousands, etc., and any number of entitlements may have been granted to the employees. However, for ease of explanation, we assume a company with only ten employees and a single entitlement in operation, ENT_A, as illustrated in the exemplary table ofemployee profile data 400 ofFIG. 4A . - According to the table 400 of
FIG. 4A , employees 2-10 have entitlement ENT_A whereasemployee 1 does not. Also, according to the table 400, there are three HR profile descriptors (i.e., features), namely Department, Location, and Level. - As an initial matter, and for ease of explanation, the dataset may be pruned to include just those employees that have the entitlement that is being modeled (e.g. ENT_A), as illustrated in the table 410 of
FIG. 4B . Pruning may be repeated for every entitlement to be modeled, or depending on the specific algorithm adopted may facilitate an approach where pruning is not necessary and yield the same results. Each entitlement may be trained independently. Independent training based on a single entitlement at a time is beneficial in case any technical issues arise during training because the entitlements that have been modelled up to the point where the technical issues occurs can be safely stored and the training may continue where it left off. Entitlements may also be trained in batches or groups, and may be trained simultaneously. Thus, this aspect of training may be considered as the discovery of the rules of an entitlement. - At
operation 302, so called frequent-item-mining may be performed on features of selected profile data. That is, the frequency of all HR features in the dataset above a threshold (known as the support) may be calculated and a prioritized list may be created according to the frequency of occurrence, as illustrated in the table 420 ofFIG. 4C . Each transaction, or employee profile, may then be rearranged by this prioritized list, as illustrated in the table 430 ofFIG. 4D . - In one exemplary implementation, an FP-growth algorithm may be utilized to perform the frequent item mining. The FP-growth algorithm may be implemented on a data analytics execution engine of the
ACS 102, such as Apache Spark® and the algorithm may generate the tree diagram 440 illustrated inFIG. 4E by iterating through each employee transaction. This tree may be considered as a model that contains all the rules listed in the table 440 ofFIG. 4F of the entitlement which can be extracted. This approach may negate the need for profile pruning, and run on the entire employee dataset simultaneously (i.e., those that have and do not have the entitlement in question). - At
operation 305, confidence values for different feature combinations/rules may be determined. As noted above atoperation 300, the employee list may be limited to just those employees having the entitlement being modeled. As such, the rules listed in table 450 ofFIG. 4F were specific to the modeled entitlement and did not consider the profiles of the employees that did not have the entitlement. As such, if confidence scores were to be assigned to each of the rules found, the confidence scores would be exactly 100%. That is, each rule that was discovered would always result in having the modeled entitlement. However, this is not reflective of the true confidence value. That is, the ratio of occurrence of the rule with the entitlement to the occurrence of the rule in the entire employee landscape. Thus, a true confidence level is calculated by determining how often a given rule occurs in the entire employee landscape, as illustrated in the table 460 ofFIG. 4G . In the case where the FPGrowth algorithm is utilized, this step is not necessary as the method is capable of building the entire tree with accurate confidence scores in one step. - According to the table 460 of
FIG. 4G , every employee that is in Finance and atlevel 8 has the entitlement ENT_A, and every financial employee that is based in Berlin has the entitlement ENT_A. The confidence level can be calculated as follows: -
- At
operation 307, redundant features combinations/rules may be removed from the rule set. After the confidence scores have been calculated for all the frequent item sets, there may be a proportion of the items that are redundant due to the rule being encompassed by a higher level (Parent) rule. For example, according to table 450 ofFIG. 4F , if an employee is in Finance and atLevel 8, they are 100% likely to have ENT_A. Therefore the extra location information (e.g. [Finance, Level8, Dublin] and [Finance, Level8, Berlin] and [Finance, Level8, London]) is irrelevant, as long as the employee belongs to Finance and is at level8. In this scenario, three rules may be removed, as illustrated by the stricken through rows of the table 470 inFIG. 4H . - In practice it has been found that about 90% of the discovered rules are redundant in this manner. It should be noted that rules may only be removed when the confidence scores of the parent and child are extremely similar (e.g., all are 100%). Notice that [Finance, Level8] is not made redundant by the fact that [Finance] alone exist. This is because there is a 10% difference in the confidence score and, therefore, the additional information may be important in this instance. This point may be important for prediction as well. It is important to find the highest level reason for assigning an employee an entitlement, and this step promotes this aspect. For example, if there was an entitlement that all employees in an organization had, for example, a ‘birthright’ entitlement, then the only relevant reason for assigning an individual that entitlement is the fact that they are an employee. All other rules that might be discovered for that entitlement would be irrelevant.
- Similarly, if a project team of 25 people need an entitlement, then all that should matter is that they are on that project. The specific tasks/functions they do or have on the project may be irrelevant. However, if only 5 IT employees on the project need the entitlement, then the fact that they are on the project AND belong to IT—is the highest level reason. The previous points assume that the rules in question have the same (or very similar) confidence scores. That is, the additional information of the child rule does not impact the confidence score that was found for the parent.
- The operations above may be performed on all or a subset of entitlements identified in the profile data. For each entitlement, a rules table such as the table 470 in
FIG. 4H may be saved. - Subsequent operations that may be performed are similar to those described above in operations 220-230. For example, at
operation 310, the entitlements may be sorted based on the corresponding maximum confidence values. Atoperation 315, the first N entitlements of the sorted entitlements may be determined to be relevant to the target individual. Atoperation 320, these entitlements may be assigned to the target individual automatically or may be presented, along with the corresponding confidence values, to a reviewer atoperation 325 as recommendations to be approved or rejected at operation. Feedback may be received atoperation 330, and themodel 120 may be updated atoperation 335. - In some cases it may be useful to predict the number of rules that may be generated by the operations above before performing the operations on an entire dataset. This facilitates predicting memory usage and/or other resource requirements that the system will need, which is beneficial to know during system implementation. In some implementations, this may be accomplished by performing the operations on using a training dataset. The training dataset may be repetitively processed to identify rule associated with a relatively small but representative sample of entitlements over a range of features. Each runs through the dataset would be enough to facilitate determination of relationships that would facilitate prediction of how many rules would be expected to be generated for each entitlement and each choice of feature parameter.
- In yet other implementations, the rules generated above may be validated, for example, by testing whether the confidence values for the rules confirm with underlying data.
-
FIGS. 5 and 6 illustrate different types ofpredictive models 120 that may be generated to facilitate controlling access to a plurality oftarget systems 106. For example,FIG. 5 illustrates part of an exemplarypredictive model 500 that corresponds to a decision tree, where each node corresponds to a feature. Thedecision tree model 500 may have been trained based on employee profile data received from theHR system 104. Main features of the exemplarypredictive model 500 used for training themodel 500 in this case included CapabilityDescr, CountryNm, CompanyDescr. Other features used for training that are not illustrated in the graph may include CostCenterDescr, FacilityDescr, MetroCityDescr, ProfitCenterDescr, TalentSegmentDescr, time_since_joined, and many other features. - During training, the
decision tree model 500 may learn the rules necessary to facilitate predicting an outcome that corresponds to a privilege/entitlement. These rules are made by splitting a node at each feature and selecting one out of two possible paths. For example, if “CapabilityDescr” is “software engineering”, “CountryNm” is “UK” and “CompanyDescr” is “Accenture”, then the entitlement output of thedecision tree model 500 would be E1. -
FIG. 6 illustrates exemplary operations for generating a predictive model according to a K-Nearest Neighbors algorithm. Atblock 600, the target individual may be plotted in a space that represents all employees of the enterprise. - At
block 605, the nearest neighbors of the target individual based on features are determined. For example, K may be set to 3, 5, or 7 in a K-nearest neighbor algorithm to select employees of the enterprise having features similar to those of the target individual. - At
block 610, a cluster privilege profile (CPP) that represents entitlements of the nearest neighbors of the target individual is generated, as illustrated in Table 4. -
TABLE 4 E1 E2 E3 E4 E5 E6 . . . E N Employee 1 1 0 1 0 0 0 0 Employee 21 1 0 0 0 0 0 Employee 31 1 1 1 0 0 0 Weight 3 2 2 1 0 0 0 Confidence 100% 67% 67% 33% 0% 0% 0% 0% - Referring to Table 4, each column represents a possible entitlement that a corresponding neighbor employee may have. A value of 1 in the cell indicates that the employee has the corresponding entitlement and a value of 0 indicates that the employee does not have the corresponding entitlement. The weight for each entitlement corresponds to the sum of the cell values in the column and the confidence for each entitlement corresponds to the ratio of the weight/number of neighbors. Thus, according to Table 4, the entitlement having the highest confidence corresponds to E1. The next highest are E2 and E3 and so on.
- At
block 615, the entitlements having a confidence higher than a predetermine threshold (e.g., >50%) are determined to be relevant to the target individual. - At
operation 620, theACS 102 may instructtarget systems 106 and/or applications operating on thetarget systems 106 associated with these entitlements to grant access to the target individual. As with the other approaches, a list of recommendations may be communicated to a reviewer (operation 625) who may accept or reject the recommendations made by the ACS 102 (operation 630). Themodel 120 may be updated based on the feedback provided by the reviewer (operation 635). - Other predictive models may be utilized. For example, in another embodiment, an ensemble method may be utilized generate an ensemble model. The central goal of an ensemble method is to aggregate predictions made by multiple classification models. For example, in one ensemble method, training data that corresponds to feature data associated with all the employees of the enterprise is broken into subsets of training data. Different models are trained for each subset of training data.
- After training each model, test data may be used to calculate the average performance of the model per entitlement. The entitlement data may be represented in binary vector form and the performance of the model may be measured either by the average precision, recall, and/or F1 score.
- The various embodiments described above facilitate efficiently configuring entitlements for new employees of the
enterprise 100. In addition to configuring entitlements for employees, theACS 102 may also facilitate automatic revocation of entitlements for one or more individuals based on usage criteria. For example, referring toFIG. 7 , atoperation 700, afirst target system 106 may report usage information to theACS 102. The usage information may indicate the frequency with which individuals utilized thetarget system 106, the last time the individuals used thetarget system 106, and/or a different usage metric. - At
operation 705, theACS 102 may compare the usage information to a usage threshold to determine whether revocation of an entitlement is warranted. - If at
operation 710, revocation is warranted, then atoperation 715, theACS 102 communicate instructions to thetarget system 106 to revoke the entitlement. - At
operation 720, theACS 102 may update information in the model to reflect that the individual whose entitlement has been revoked, no longer has the entitlement. - The operations described in
FIG. 7 may occur at regular intervals such as every day, week, month, etc. or in real time. The operations facilitate reducing the number of unnecessary entitlements, which has the added benefit of improving security of thetarget systems 106 by reducing the number of individuals with access to thetarget system 106. The changes to the model may result in changes to the predictions made above when assigning entitlements to target individuals. In this way, over time, entitlements may be provided to those with a real need to access thetarget systems 106 rather than all or an unnecessarily large number of individuals across the enterprise. -
FIG. 8 illustrates acomputer system 800 that may form part of or implement the systems, environments, devices, etc., described above. Thecomputer system 800 may include a set ofinstructions 845 that theprocessor 805 may execute to cause thecomputer system 800 to perform any of the operations described above. Thecomputer system 800 may operate as a stand-alone device or may be connected, e.g., using a network, to other computer systems or peripheral devices. - In a networked deployment, the
computer system 800 may operate in the capacity of a server or as a client computer in a server-client network environment, or as a peer computer system in a peer-to-peer (or distributed) environment. Thecomputer system 800 may also be implemented as or incorporated into various devices, such as a personal computer or a mobile device, capable of executing instructions 845 (sequential or otherwise) causing a device to perform one or more actions. Further, each of the systems described may include a collection of subsystems that individually or jointly execute a set, or multiple sets, of instructions to perform one or more computer operations. - The
computer system 800 may include one ormore memory devices 810 communicatively coupled to abus 820 for communicating information. In addition, code operable to cause the computer system to perform operations described above may be stored in thememory 810. Thememory 810 may be a random-access memory, read-only memory, programmable memory, hard disk drive or any other type of memory or storage device. - The
computer system 800 may include adisplay 830, such as a liquid crystal display (LCD), a cathode ray tube (CRT), or any other display suitable for conveying information. Thedisplay 830 may act as an interface for the user to see processing results produced byprocessor 805. - Additionally, the
computer system 800 may include aninput device 825, such as a keyboard or mouse or touchscreen, configured to allow a user to interact with components ofsystem 800. - The
computer system 800 may also include a disk oroptical drive unit 815. Thedrive unit 815 may include a computer-readable medium 840 in which theinstructions 845 may be stored. Theinstructions 845 may reside completely, or at least partially, within thememory 810 and/or within theprocessor 805 during execution by thecomputer system 800. Thememory 810 and theprocessor 805 also may include computer-readable media as discussed above. - The
computer system 800 may include acommunication interface 835 to support communications via anetwork 850. Thenetwork 850 may include wired networks, wireless networks, or combinations thereof. Thecommunication interface 835 may enable communications via any number of communication standards, such as 802.11, 802.12, 802.20, WiMAX, cellular telephone standards, or other communication standards. - Accordingly, methods and systems described herein may be realized in hardware, software, or a combination of hardware and software. The methods and systems may be realized in a centralized fashion in at least one computer system or in a distributed fashion where different elements are spread across interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods described herein may be employed.
- The methods and systems described herein may also be embedded in a computer program product, which includes all the features enabling the implementation of the operations described herein and which, when loaded in a computer system, is able to carry out these operations. Computer program as used herein refers to an expression, in a machine-executable language, code or notation, of a set of machine-executable instructions intended to cause a device to perform a particular function, either directly or after one or more of a) conversion of a first language, code, or notation to another language, code, or notation; and b) reproduction of a first language, code, or notation.
- While methods and systems have been described with reference to certain embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the claims. Therefore, it is intended that the present methods and systems not be limited to the particular embodiment disclosed, but that the disclosed methods and systems include all embodiments falling within the scope of the appended claims.
Claims (20)
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/016,154 US10686795B2 (en) | 2018-02-20 | 2018-06-22 | System for controlling access to a plurality of target systems and applications |
JP2019027807A JP6987087B2 (en) | 2018-02-20 | 2019-02-19 | A system that controls access to multiple target systems and applications |
AU2019201186A AU2019201186A1 (en) | 2018-02-20 | 2019-02-20 | A system for controlling access to a plurality of target systems and applications |
AU2020256320A AU2020256320A1 (en) | 2018-02-20 | 2020-10-13 | A system for controlling access to a plurality of target systems and applications |
JP2021194612A JP7219325B2 (en) | 2018-02-20 | 2021-11-30 | System for controlling access rights to target systems and applications |
AU2022268298A AU2022268298A1 (en) | 2018-02-20 | 2022-11-08 | A system for controlling access to a plurality of target systems and applications |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/900,475 US10708274B2 (en) | 2018-02-20 | 2018-02-20 | System for controlling access to a plurality of target systems and applications |
US16/016,154 US10686795B2 (en) | 2018-02-20 | 2018-06-22 | System for controlling access to a plurality of target systems and applications |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/900,475 Continuation-In-Part US10708274B2 (en) | 2018-02-20 | 2018-02-20 | System for controlling access to a plurality of target systems and applications |
Publications (2)
Publication Number | Publication Date |
---|---|
US20190260755A1 true US20190260755A1 (en) | 2019-08-22 |
US10686795B2 US10686795B2 (en) | 2020-06-16 |
Family
ID=67618250
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/016,154 Active 2038-05-18 US10686795B2 (en) | 2018-02-20 | 2018-06-22 | System for controlling access to a plurality of target systems and applications |
Country Status (3)
Country | Link |
---|---|
US (1) | US10686795B2 (en) |
JP (2) | JP6987087B2 (en) |
AU (3) | AU2019201186A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10681055B2 (en) | 2018-02-20 | 2020-06-09 | Accenture Global Services Limited | System for controlling access to target systems and applications |
CN112257044A (en) * | 2020-10-29 | 2021-01-22 | 广州新奥达云科技有限公司 | Multi-platform management method and device and computer equipment |
US10997306B2 (en) * | 2018-11-27 | 2021-05-04 | Accenture Global Solutions Limited | Data protection and threat detection |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100199346A1 (en) * | 2009-02-02 | 2010-08-05 | Telcordia Technologies, Inc. | System and method for determining symantic equivalence between access control lists |
US20130047229A1 (en) * | 2011-08-16 | 2013-02-21 | Qualcomm Incorporated | Play time dispenser for electronic applications |
US20140165193A1 (en) * | 2007-07-13 | 2014-06-12 | International Business Machines Corporation | Detecting Anomalous Process Behavior |
US20150033292A1 (en) * | 2013-07-25 | 2015-01-29 | Ddn Ip Holdings Limited | Method and System for Sharing and Distributing Content |
US20150135305A1 (en) * | 2013-11-13 | 2015-05-14 | Intuit Inc. | Method and system for dynamically and automatically managing resource access permissions |
US20170093871A1 (en) * | 2015-09-25 | 2017-03-30 | International Business Machines Corporation | Intelligent access control |
Family Cites Families (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH1049443A (en) * | 1996-08-02 | 1998-02-20 | Nippon Telegr & Teleph Corp <Ntt> | Information processing system |
JP2003162612A (en) * | 2001-09-17 | 2003-06-06 | Hitachi Ltd | Management method and apparatus for license information |
JP2003216497A (en) * | 2002-01-25 | 2003-07-31 | Casio Comput Co Ltd | Database managing device and program |
JP4123472B2 (en) * | 2002-07-23 | 2008-07-23 | 有限会社シードウィン | Human resource utilization support system and personnel utilization support program |
US7865931B1 (en) | 2002-11-25 | 2011-01-04 | Accenture Global Services Limited | Universal authorization and access control security measure for applications |
US7774365B2 (en) * | 2004-08-31 | 2010-08-10 | Morgan Stanley | Organizational reference data and entitlement system |
US20070214497A1 (en) | 2006-03-10 | 2007-09-13 | Axalto Inc. | System and method for providing a hierarchical role-based access control |
US8931055B2 (en) | 2006-08-31 | 2015-01-06 | Accenture Global Services Gmbh | Enterprise entitlement framework |
CN101951375B (en) * | 2010-09-21 | 2014-02-19 | 北京信息科技大学 | Trust assessment-based adaptive trust negotiation system and method |
JP5588811B2 (en) * | 2010-09-29 | 2014-09-10 | 株式会社日立製作所 | Data analysis support system and method |
US8978114B1 (en) | 2012-07-15 | 2015-03-10 | Identropy, Inc. | Recommendation engine for unified identity management across internal and shared computing applications |
US8510794B1 (en) | 2012-07-15 | 2013-08-13 | Identropy, Inc. | Methods and apparatus for a unified identity management interface across internal and shared computing applications |
US9147055B2 (en) | 2013-08-29 | 2015-09-29 | Bank Of America Corporation | Entitlement predictions |
KR101469523B1 (en) * | 2014-08-29 | 2014-12-05 | 한국지질자원연구원 | Context awareness ontology construction method for providing user interest information service based on context awareness |
JP2016181158A (en) * | 2015-03-24 | 2016-10-13 | 株式会社マイト | Qualified person support device, method, and computer program |
US10333918B2 (en) | 2017-02-22 | 2019-06-25 | Accenture Global Solutions Limited | Automated system identification, authentication, and provisioning |
-
2018
- 2018-06-22 US US16/016,154 patent/US10686795B2/en active Active
-
2019
- 2019-02-19 JP JP2019027807A patent/JP6987087B2/en active Active
- 2019-02-20 AU AU2019201186A patent/AU2019201186A1/en not_active Abandoned
-
2020
- 2020-10-13 AU AU2020256320A patent/AU2020256320A1/en not_active Abandoned
-
2021
- 2021-11-30 JP JP2021194612A patent/JP7219325B2/en active Active
-
2022
- 2022-11-08 AU AU2022268298A patent/AU2022268298A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140165193A1 (en) * | 2007-07-13 | 2014-06-12 | International Business Machines Corporation | Detecting Anomalous Process Behavior |
US20100199346A1 (en) * | 2009-02-02 | 2010-08-05 | Telcordia Technologies, Inc. | System and method for determining symantic equivalence between access control lists |
US20130047229A1 (en) * | 2011-08-16 | 2013-02-21 | Qualcomm Incorporated | Play time dispenser for electronic applications |
US20150033292A1 (en) * | 2013-07-25 | 2015-01-29 | Ddn Ip Holdings Limited | Method and System for Sharing and Distributing Content |
US20150135305A1 (en) * | 2013-11-13 | 2015-05-14 | Intuit Inc. | Method and system for dynamically and automatically managing resource access permissions |
US20170093871A1 (en) * | 2015-09-25 | 2017-03-30 | International Business Machines Corporation | Intelligent access control |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10681055B2 (en) | 2018-02-20 | 2020-06-09 | Accenture Global Services Limited | System for controlling access to target systems and applications |
US10708274B2 (en) | 2018-02-20 | 2020-07-07 | Accenture Global Solutions Limited | System for controlling access to a plurality of target systems and applications |
US10997306B2 (en) * | 2018-11-27 | 2021-05-04 | Accenture Global Solutions Limited | Data protection and threat detection |
CN112257044A (en) * | 2020-10-29 | 2021-01-22 | 广州新奥达云科技有限公司 | Multi-platform management method and device and computer equipment |
Also Published As
Publication number | Publication date |
---|---|
AU2020256320A1 (en) | 2020-11-12 |
AU2019201186A1 (en) | 2019-09-05 |
JP7219325B2 (en) | 2023-02-07 |
JP2022028899A (en) | 2022-02-16 |
US10686795B2 (en) | 2020-06-16 |
JP2019179547A (en) | 2019-10-17 |
AU2022268298A1 (en) | 2022-12-15 |
JP6987087B2 (en) | 2021-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10679169B2 (en) | Cross-domain multi-attribute hashed and weighted dynamic process prioritization | |
JP7219325B2 (en) | System for controlling access rights to target systems and applications | |
US11128635B2 (en) | System for controlling access to target systems and applications | |
Zheng et al. | Research on the design of analytical communication and information model for teaching resources with cloud‐sharing platform | |
US10810680B2 (en) | Location and social network data predictive analysis system | |
US20170269971A1 (en) | Migrating enterprise workflows for processing on a crowdsourcing platform | |
Enayati et al. | Ambulance redeployment and dispatching under uncertainty with personnel workload limitations | |
JP2006501571A (en) | Selective deployment of software extensions within an enterprise modeling environment. | |
US10990990B2 (en) | Market analysis system | |
US20210042294A1 (en) | Blockchain-based consent management system and method | |
Wang et al. | A bi-objective robust resource allocation model for the RCPSP considering resource transfer costs | |
Safaei et al. | Multi-threaded simulated annealing for a bi-objective maintenance scheduling problem | |
US20200242536A1 (en) | Automated role engineering for enterprise computer systems | |
US20180089633A1 (en) | Cost based auto-negotiation of suitable meeting times | |
US20180046968A1 (en) | Job profile generation based on intranet usage | |
US11361329B2 (en) | Systems and methods for generating optimized market plans | |
Singh | Genetic-variable neighborhood search with thread replication for mobile cloud computing | |
US20230394351A1 (en) | Intelligent Data Ingestion | |
CN116777186B (en) | Operation and maintenance work order dispatching method and device, computer equipment and storage medium | |
US20230101734A1 (en) | Machine learning model to fill gaps in adaptive rate shifting | |
Gayathri et al. | Efficient management of files in the cloud using a desktop application | |
Liu et al. | Service-level computation in time-varying queueing system with priorities: Application to physician staffing in the emergency department |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: ACCENTURE GLOBAL SOLUTIONS LIMITED, IRELAND Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:THEXTON, REXALL E.;TANDON, GAURAV;SHUKLA, SANJEEV;AND OTHERS;SIGNING DATES FROM 20180611 TO 20181106;REEL/FRAME:047638/0566 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |